back to article DJI bug bounty NDA is 'not signable', say irate infosec researchers

Chinese drone maker DJI faces questions from infosec researchers about its bug bounty programme. Sources have told The Register that a non-disclosure agreement (NDA) they were invited to sign would result in the company "owning their actions". DJI's scheme to pay those that highlight security weaknesses, announced months ago …

  1. AndyS

    What exactly is objectionable?

    The article doesn't really go into what is objectionable about the NDA.

    I'd assume that the signing of an NDA is a reasonable request. It also seems fair that, to be paid for a piece of work, you should hand that work over to the company paying you. Aren't you effectively selling your work to the company?

    So, what have DJI slipped in there which people objecting to, and which is different from other bug bounty schemes?

    1. Anonymous Coward
      Anonymous Coward

      Re: What exactly is objectionable?

      " It also seems fair that, to be paid for a piece of work, you should hand that work over to the company paying you."

      That's a bit the wrong way around. They don't pay someone to do some work. They reward someone who does work for them for free and has a good enough relationship that they won't exploit this work or hand it over to crims or TLAs for an even bigger fee.

      The security researchers see it as doing the company a favour and hence getting a reward, the company may see it as an extortion racket (but it's only due to their failings).

      However if the agreement to be given the reward for your hard work is unfair or gives too much power to the company to shut you down and keep others at risk for ever more and even not pay you at all once you've signed it then you might be a bit irked.

      In another way if you have 30 top security researchers who are very bothersome with their constant stories about security issues and you can get them all to sign an NDA which says they are not allowed to mention a security bug ever again (and they might get a rewards, maybe) then you have shut down dissent and you can carry on with insecure software.

      I was genuinely considering buying a DJI drone but stories like this where they don't seem to care about security and prefer to try to ensure that issues aren't rectified they are suppressed mean that I won't risk it.

    2. Flocke Kroes Silver badge

      Generic NDA translated into English

      Our product is crap. We know it is fundamentally unfit for use in your project and by our other existing and potential customers. This information must not escape into the wild until after you are thoroughly committed to embedding our product in yours. At that time you and our other customers must each individually develop the same bodge to make your project minimally successful.

    3. Michael Felt

      Re: What exactly is objectionable?

      To NDA - "this" whatever "this" may be could be considered normal

      To pass ownership - might be okay - if paid up front - that is, you know what you are getting in advance. But not, imho, if they are evaluating it and decide to give you nothing. Maybe you found a patentable effect - and they just take it for nothing.

      Finally, between the lines of what people are saying about the formal NDA - sounds like they are making an attempt to also own "future" aka "undisclosed" (to them) information you have. Who can say what you have at time X. Their lawyers contend you had it, but did not disclose fully - and so violated the NDA ownership transfer.

      Also not heard - what court are (so-called) breaches of the NDA tried in. USA, Europe, India, ..., China? Also make a big difference.

  2. HieronymusBloggs

    "what have DJI slipped in there..."

    From the article:

    "the NDA has effectively prohibited them from carrying out any further work"

    1. Anonymous Coward
      Anonymous Coward

      Re: From the article:

      I think maybe they were hoping someone would disclose (the actual text of, the relevant part of) the NDA, not the summary.

    2. netminder

      thats nice

      I think we all can read that in the story but the question was HOW did they do that? What words made this the case?

  3. heyrick Silver badge

    Why not post a copy of the NDA?

    The NDA is some legalese protecting something. It itself isn't protected, certainly you see it before agreeing to it.

    1. James Ashton

      Re: Why not post a copy of the NDA?

      How do you know the NDA isn't itself protected by copyright, or have you seen it, in which case, why not post a copy? There's a good chance that DJI only sends out the NDA to people who apply and there's nothing to stop them controlling distribution using copyright law.

  4. Warm Braw

    Computer Fraud and Abuse Act

    I'm assuming these people aren't randomly attacking drones that happen to pass by overhead but are actively trying to find bugs in the software of drones that either belong to the security researchers or which they have been given permission to investigate by their owners.

    If DJI think it's a criminal offence to access a computer that belongs to you without their permission, then there's rather more to worry about than an NDA.

    1. Anonymous Coward
      Anonymous Coward

      Re: Computer Fraud and Abuse Act

      This is the core theme of all the DJI articles I've read. Every arcticle seemingly shapes DJI as a owner of your work or you. Ultimately, you become their scapegoat AND they profit from your work.

      Maybe hackers shouldn't be making DJI defensible.

  5. x 7

    can someone please publish the NDA so we can see what it says?

    Or do you have to sign an NDA before you can see the real NDA?

    1. Anonymous Coward
      Anonymous Coward

      That would be in breach of the NDNDAA

      1. Anonymous Coward
        Anonymous Coward

        "That would be in breach of the NDNDAA"

        The first rule of NDNDAA is not to talk about NDNDAA

        <this could go on for a while>

        1. Paul Kinsler

          <this could go on for a while>

          I don't think that's necessary. For an agreement covering a domain V, a non-disclosure agreement only needs to specify a (an impermeable) boundary surface $S = \partial V$. Since the boundary of a boundary is zero, the second non-disclosure agreement suffices to let nothing out. I suppose the only loophole might be if your domain has a non-trivial topology... [1]

          [1] And think yourself lucky that I haven't tried any jokes about there being p-forms to fill in [2].

          [2] Dammit!

      2. Adam 1

        > That would be in breach of the NDNDAA

        And we would share the NDNDAA but that would fall foul of the NDNDNDAAA. Again, I can't share the NDNDNDAAA specifics, but I can confirm that it talks a lot about turtles.

  6. John Smith 19 Gold badge
    Big Brother

    I suspect if you sign the NDA you can't talk about even if you're looking for bugs.

    IOW All information about wheather a researcher is even looking for ways in disappears into an information black hole.

    Which means they can claim "We have no security issues. You can ask any of the researchers in this area."

    Reporter asks researcher (who's signed NDA). "I know nothing of any bugs. I can neither confirm nor deny that I am investigating any vulnerabilities. I cannot comment on their security. Goodbye."

    It may be like those "National Security Letters" the FBI have been issuing to ISP's. They can't tell a customer they're being spied on. They can't tell them if the customer asks them and they can't even answer if the customer asks "Have you received an NSL on my account?"

    If I'm right would that sound somewhat Orwellian to you?

    Of course releasing a copy of the full NDA would settle matters more or less instantly.

    After all if DJI has nothing to hide, they have nothing to fear. Right?

    1. JohnFen

      Re: I suspect if you sign the NDA you can't talk about even if you're looking for bugs.

      "Reporter asks researcher (who's signed NDA). "I know nothing of any bugs."

      No NDA requires you to lie. The researcher would not have to disclaim knowledge of bugs, but could say "I am contractually prohibited from commenting on that." Which would be a useful thing to know.

      NDAs tied to bug bounty programs seems like a wonderful way of suppressing research and keeping the public from learning things that they really should know about. I hope that there are plenty of researchers who won't involve themselves in such schemes.

      1. John Smith 19 Gold badge
        Unhappy

        "NDAs tied to bug bounty programs seems like a wonderful way of suppressing research "

        Exactly my point.

        Please note. I'm not saying that DJI's is doing that, but not being transparent about it does make it look that way, doesn't it?

  7. docwebhead

    No full test, but more details here:

    https://dronelife.com/2017/11/16/dji-flawed-bug-bounty-program/

  8. M man

    Fool me once, shame on you; fool me twice, I'll sue you for breach off NDA

  9. Will Godfrey Silver badge
    FAIL

    Fools

    It's almost as if DJI want researchers to go dark.

    Perhaps they also want to go out of business when the bad guys get to work using all the bugs that nobody would now be telling them about.

  10. TrumpSlurp the Troll
    Trollface

    You product is shit!

    Thank you.

    Sign this and take $30,000. Oh, and you must never speak of this again.

    You must never speak of our product again. To anyone.

    Sounds a sensible scheme to me if they can get away with it.

    .

    .

    .

    An alternative view is that there is a highly paid research programme. Entry requirements involve locating a significant unknown security bug. After that you are inside and full commercial confidentiality rules apply. You get paid for your research but you don't get to brag about it. Just like the employees don't get to brag in public about the bugs they have found and fixed as part of their job.

    I wonder which this is?

  11. rdhood

    Dont sign, publish...

    Just start publicizing the bugs. That will wake them up.

    1. David Moore

      Re: Dont sign, publish...

      That's precisely what he did... ;-)

  12. Christian Berger

    The whole NDA thing is rather questionable anyhow

    I mean if I find out that a certain kind of LED lights is a safety hazard as it'll expose live wires when you pull on some part to hard, you damn well tell the public.

    We are far to forgiving against manufacturers of software. They often purposefully built security issues into their software and instead of issuing re-calls we allow them to patch their software as often as they like.

  13. msknight

    Company in Communist China...

    ...has an NDA which is politically objectionable to those in the West. And the shock is what... exactly?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon